Tuesday, May 17, 2011

Your social security number is a very poor password

I've written before about why using social security numbers as an identifier is a bad idea. But why learn from other's mistakes, when you can learn from your own?

First Tech Federal Credit Union is the product of the merger of First Technology Credit Union and Addison Avenue Credit Union and they're finally integrating their banking systems. As always, there are a few hiccups in the process. For example, some members are getting new account numbers since there are conflicting account numbers between the two.

There's a bigger problem with the phone banking system. As part of the transition, they need to reset the PINs of all members of the old First Tech (Addison Avenue members are not affected). I'm guessing this is because they're moving the First Tech members over to the old Addison Avenue system. According to the First Tech integration guide (page 11), they're making two changes during the transition at the end of May:
  • you will be able to "use any of  your account numbers to login"
  • "we'll reset your Phone Banking PIN to the last four digits of your social security number"
When you write a check, many businesses ask for the last four digits of your SSN for identification or verification purposes. So anyone with a copy of that check now has access to exactly what they need to access your account by phone.

How sure are you that your account is safe? I'm not – which is why I asked First Tech to disable phone banking on my account.

I love First Tech and have been a member for a long time. Before posting this, I contacted First Tech to notify them of the problem. Their response:
We could not issue new PINs to members because they would have to be issued after our system conversion, which would leave members without access to Phone Banking for at least several days. Setting the PINs to the last 4 digits of the Social Security Number allows members to continue to access Phone Banking during this system conversion. At this point we are moving forward with the plan as stated in the integration guide.
I hope that First Tech will change this decision, but in the meantime, I know that many members will not be aware that their accounts are at risk. Unfortunately, I can't be as sure that hackers aren't targeting First Tech customers. In fact, First Tech is aware of this possibility and specifically advises people to watch out for "phishing" attacks during the transition.

Therefore, I've decided to write this blog post to publicize the problem. I recommend that you disable phone banking for your account before May 26th. To do this, call 1-800-637-0852 option 2 or sign into online banking and send First Tech a message asking them to disable phone banking.

Search This Blog